Risk // Compliance
04:05 AM
Connect Directly

Internal Audit Teams Target IT Security In 2013

IT risk management grows in importance amid other business-level enterprise risk management concerns

As internal audit teams juggle the entire stack of enterprise risk management concerns, IT security and data privacy will continue to grow in priority amid other concerns like competition and risk from financial markets. Two new reports released during the past few weeks point to the growing need for IT risk management among internal auditors, as well as the increasing trend for internal audit teams to beef up their IT security acumen throughout the rest of 2013.

"There's a continuing emphasis around information security and how auditors help reduce that risk to a more nominal level," says Brian Christensen, executive vice president, global internal audit, at Protiviti. "Despite valiant efforts to get their hands around that, it remains an ever-growing challenge."

Protiviti's recent "2013 Internal Audit Capabilities and Needs Survey Report," which was conducted among 1,000 U.S. auditors, found that auditing IT was No. 2 out of the top five areas listed by respondents as the most ripe for improvement among internal auditors. Compare that to last year when it didn't make the list, and to 2011 when it was the fourth out of five, and it is clear that internal auditors are moving IT risk management up the stack.

Part of it stems from growing awareness among internal audit teams that the bar for gaining a comfortable level of knowledge within the IT risk management field continues to rise each year, Christensen says.

"When an organization feels that it has reached that level of comfort, someone will either figure out another way to take [threats] to another level, or the dynamic nature of changing technology requires an even greater element of discipline to understand and reduce the risk," he says. "We see the need to keep up with the technical security skill levels on the internal auditing side just to stay cognizant of those risks."

[How well do you normalize data for risk management? See Does Your Security Data Mesh With Risk Metrics?.]

This observation tracks with the "2013 State of the internal audit profession study" out by PwC, which was based on an online survey across a spectrum of CEOs, CFOs, chief audit executives, and chief risk officers around the globe, as well as on in-depth, case-study interviews of 140 additional executives. It showed that 41 percent of internal audit organizations are planning to add IT security skills to their internal audit capabilities in the next 18 months. Of those, 71 percent say they'll have to hire from outside the business or leverage third parties to bring that expertise.

"The ability of the internal audit staff to, one, attract the professionals, the IT professionals, and others and retain those people in the face of severe competition has been a real issue," Arthur Rothkopf, trustee and chair of the audit committee for Educational Testing Service, said during a recent industry roundtable sponsored by PwC.

But the more reliant the company is on technology to maintain the business objectives of the organization, the more important it is for internal auditors to embed themselves into the IT organization to search for risks. And that will require the right skill sets to cooperate with IT staff as closely as possible.

"When organizations are contemplating or going through strategic change or investments in systems, infrastructures, or processes, the auditor of the future really should be embedded in part of that control process at the onset," Christensen says.

Historically, internal auditors came in after systems were deployed and processes defined. But the rapidly advancing technology and threat landscape requires a different approach, he says.

"The dynamic nature of IT environments today really makes them too late to the game if they apply themselves in that fashion," he says. "The auditor should be the strategic partner working with IT departments and really understand and really bring in the concepts of controls and risk."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.